Most active commenters
  • mtlynch(4)

←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 11 comments | 21 Apr 20 17:01 UTC | HN request time: 0.4s | source | bottom
Show context
mtlynch ◴[21 Apr 20 17:01 UTC] No.22936825[source]
Author here. Happy to answer any questions or hear feedback about this post.
replies(4): >>22937478 #>>22937646 #>>22937672 #>>22938279 #
1. tomashertus ◴[21 Apr 20 18:13 UTC] No.22937672[source]
This is a common practice for anti-fraud detection systems. The whole article is sensationalistic. You will see similar techniques used all over the web (your bank website, Ticketmaster, airlines websites, etc.).
replies(1): >>22937868 #
2. mtlynch ◴[21 Apr 20 18:30 UTC] No.22937868[source]
Thanks for reading!

> This is a common practice for anti-fraud detection systems... You will see similar techniques used all over the web (your bank website, Ticketmaster, airlines websites, etc.).

I respectfully disagree.

My bank tracks my movement on their own website. They don't track movement on other businesses' websites.

I believe many developers integrate with Stripe expecting that their JS library executes and shares data only on the pages where Stripe UI elements appear on the page. The fact that JS library runs on every page and sends data back to Stripe, even before the app calls the API, is unexpected. I believe that Stripe should, at the very least, make this more obvious to integrators and, ideally, give site owners the ability to limit what data Stripe collects.

replies(3): >>22938098 #>>22938101 #>>22939474 #
3. brunoTbear ◴[21 Apr 20 18:51 UTC] No.22938098[source]
You may not be aware of how many banks/airlines/ticket websites have outsourced their fraud fighting to solutions like Shape Security, or Sift (Science). Web-wide tracking via cookies is a reasonable and widespread technique for fighting fraud.

Given your background I'd imagine you'd be aware of this.

replies(3): >>22938330 #>>22938364 #>>22938781 #
4. huhtenberg ◴[21 Apr 20 18:51 UTC] No.22938101[source]
> I believe many developers integrate with Stripe expecting that their JS library executes and shares data only on the pages where Stripe UI elements appear on the page.

What makes you believe that exactly?

If you include stripe.js on your About page, all bets are off for that page. You can believe all you want here, but you have explicitly included some 3rd js code, so feigning surprise that it gets executed is shallow.

replies(1): >>22938240 #
5. mtlynch ◴[21 Apr 20 19:06 UTC] No.22938240{3}[source]
>> I believe many developers integrate with Stripe expecting that their JS library executes and shares data only on the pages where Stripe UI elements appear on the page.

> What makes you believe that exactly?

I've read all the StackOverflow and Github issue posts I can find related to this issue.[0,1,2,3,4] The overall sentiment from developers is that they're surprised and don't want Stripe to send this information. That said, there's obviously a selection bias because the ones who consider it expected behavior don't post.

> If you include stripe.js on your About page, all bets are off for that page. You can believe all you want here, but you have explicitly included some 3rd js code, so feigning surprise that it gets executed is shallow.

Sure, I'm ultimately responsibility for what runs on my site. I believe Stripe is also responsible for clearly disclosing the behavior of their library, and I feel like open critique is an appropriate way to encourage that.

[0] https://github.com/stripe/react-stripe-elements/issues/257

[1] https://github.com/stripe/react-stripe-elements/issues/99

[2] https://stackoverflow.com/questions/45718026/stripe-js-makin...

[3] https://stackoverflow.com/questions/56481458/why-does-stripe...

[4] https://stackoverflow.com/questions/55904278/reduce-network-...

6. mtlynch ◴[21 Apr 20 19:13 UTC] No.22938330{3}[source]
> You may not be aware of how many banks/airlines/ticket websites have outsourced their fraud fighting to solutions like Shape Security, or Sift (Science). Web-wide tracking via cookies is a reasonable and widespread technique for fighting fraud.

I view that as a different situation. If a bank/airline/ticketer outsources fraud to a third party, there's presumably an informed exchange of "we'll let you run JS on every page on our website and suck up whatever information you want if you help us detect fraud."

In the case of Stripe, I don't believe they're clear with client applications that they're collecting information from every page of an app. I think most developers integrate with Stripe so they can accept payment on one or two pages and probably don't expect Stripe to be collecting the level of data they're reporting back to Stripe servers.

replies(1): >>22938487 #
7. bsamuels ◴[21 Apr 20 19:17 UTC] No.22938364{3}[source]
I honestly cannot fault him. While online fraud prevention is a massive industry that touches almost every major website we use, you don't exactly have people giving talks about how serious the problem is or how advanced the detection tooling is because the nature of the industry requires you to keep your methods secret.

Heck, I have a friend who's working on a non-finance web app with <20k MRR, and even at that size he's starting to encounter fraud problems that require tooling to mitigate.

If your app stores any data that may be sellable on the dark web, you are a target.

8. brunoTbear ◴[21 Apr 20 19:30 UTC] No.22938487{4}[source]
This “level of data” doesn’t strike me as alarming. It’s views and mouse locations. Really no different than any simple analytics solution.

Hypothetically: I tell a dev to drop a piece of JS on every page that seems related to payments. That dev probably isn’t doing their job super well if they don’t ask me why or wonder why and find out.

I think you imagine HN readers to be dumb. Nothing here is surprising.

I know it’s covid era and we felt good as a community wagging our fingers at Zoom’s naughty FB tracking inclusion. Legitimate concerns there given the advertising business model, and no good reason for zoom to be doing it. This is fundamentally different: the data is for a good purpose with a narrow scope to a good company with a user-positive value creation model.

I believe your princess is in another castle.

replies(1): >>22939843 #
9. SahAssar ◴[21 Apr 20 20:05 UTC] No.22938781{3}[source]
> reasonable and widespread

One of those can be factual and the other is clearly subjective.

10. voiper1 ◴[21 Apr 20 21:23 UTC] No.22939474[source]
>I believe many developers integrate with Stripe expecting that their JS library executes and shares data only on the pages where Stripe UI elements appear on the page. The fact that JS library runs on every page and sends data back to Stripe, even before the app calls the API, is unexpected.

It's not unexpected when they tell you to include it on every page:

As was in their docs ages ago and still now: https://stripe.com/docs/js

>Including Stripe.js >Include the Stripe.js script on each page of your site—it should always be loaded directly from https://js.stripe.com, rather than included in a bundle or hosted yourself.

>To best leverage Stripe’s advanced fraud functionality, include this script on every page, not just the checkout page. This allows Stripe to detect anomalous behavior that may be indicative of fraud as customers browse your website.

... they are asking you to enable them to track your user's interaction with your entire website.

11. adambyrtek ◴[21 Apr 20 22:04 UTC] No.22939843{5}[source]
You might have some reasonable arguments, but your condescending tone is completely undermining the conversation.